[Pkg-samba-maint] Bug#927747: Bug#927747: bind9_dlz backend is entirely broken in Debian

Mathieu Parent math.parent at gmail.com
Tue Apr 23 21:24:54 BST 2019

clone 927747 -1
reassign -1 bind9
severity -1 serious
retitle -1 bind9: Please add "/var/lib/samba/bind-dns/** rwk," to
apparmor profile

Le lun. 22 avr. 2019 à 17:30, Steinar H. Gunderson <sesse at debian.org> a écrit :
> Package: samba
> Version: 2:4.9.5+dfsg-3
> Severity: grave
> Hi,


Thanks for your detailed report.

> I upgraded a DC from stretch to buster, and DNS for AD (via bind9_dlz)
> started failing in strange ways. (In particular, when I changed the IP address
> of the DC, samba-tool dns query would return the correct addresses, but actual
> DNS lookups would return the old ones.) It turns out that upstream, bind9_dlz
> data has moved from /var/lib/samba/private to /var/lib/samba/bind-dns; however,
> there's no notice about this anywhere, and the path does not exist in Debian.
> (Thus, the .conf file in use didn't even mention the BIND 9.11 .so file, much
> less load it.) Furthermore, if you try to remedy this problem yourself by
> mkdir-ing the new directory and running samba_dnsupgrade, BIND will no longer
> start due to AppArmor policies being out of date:
>   [84419.640664] audit: type=1400 audit(1555945763.230:88): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9043 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
>   [84486.581899] audit: type=1400 audit(1555945830.170:89): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9171 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
> Given that AppArmor now seems to be default on in buster, this breaks
> the functionality completely, even for new installations (not just for
> upgrades from stretch).
> I would suppose that postinst needs to check whether BIND9_DLZ is in use,
> and if so, run samba_upgradedns --dns-backend=BIND9_DLZ and then finally
> pop up a message saying that the admin will have to change the .conf path
> in named.conf.local. And the AppArmor profile will need to be fixed.
> Even after this, I had to run samba_dnsupdate once with --use-samba-tool,
> and then it would finally run without “dns_tkey_gssnegotiate: TKEY is
> unacceptable” the next time.

There are several issues here. Trying a summary.
1. We need to patch bind9 apparmor profile (this is the cloned bug)
2. The /var/lib/samba/bind-dns directory is created on domain
provision. Nothing to do here?
2. bind9 conf "include" should be updated. As the conffile is not
owned by samba all we can do is printing a message in samba preinst
(if include "/usr/local/samba/private/named.conf" is found in
/etc/named/named.conf or /etc/bind/named.conf.local)
3.Patching "named.conf" template to load the correct bind9 module (i.e 9.11)
4. Run "samba_upgradedns --dns-backend=BIND9_DLZ", but when?

1. I think adding this rule is ok:

+/var/lib/samba/bind-dns/** rwk,

But we may do better with something like this (to be tested and improved):

   /var/lib/samba/private/dns.keytab r,
   /var/lib/samba/private/named.conf r,
-  /var/lib/samba/private/dns/** rwk,
+ /var/lib/samba/bind-dns/*.conf r,
+ /var/lib/samba/bind-dns/dns/** rwk,
-  /etc/smb.conf r,
+  /etc/samba/smb.conf r,

Mathieu Parent

More information about the Pkg-samba-maint mailing list